From 1e5b6a6a0f16887291a4e5228229f0e6913c7072 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Thu, 7 Apr 2016 15:42:51 +0200
Subject: [PATCH 1/2] Fixes: U4-8298 CacheRefresher authorization logic
 reversed - traditional load balancing will not work

---
 .../webservices/CacheRefresher.asmx.cs        | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
index a58a81dfc7..2cda4a0593 100644
--- a/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
@@ -60,7 +60,7 @@ namespace umbraco.presentation.webservices
             return jsonRefresher;
         }
 
-        private bool NotAutorized(string login, string rawPassword)
+        private bool Autorized(string login, string rawPassword)
         {
             //TODO: This technique of passing the raw password in is a legacy idea and isn't really 
             // a very happy way to secure this webservice. To prevent brute force attacks, we need 
@@ -92,7 +92,7 @@ namespace umbraco.presentation.webservices
         [WebMethod]
         public void BulkRefresh(RefreshInstruction[] instructions, string appId, string login, string password)
         {
-            if (NotAutorized(login, password)) return;
+            if (Autorized(login, password) == false) return;
             if (SelfMessage(appId)) return; // do not process self-messages
 
             // only execute distinct instructions - no sense in running the same one more than once
@@ -131,29 +131,29 @@ namespace umbraco.presentation.webservices
 		[WebMethod]
 		public void RefreshAll(Guid uniqueIdentifier, string Login, string Password)
 		{
-		    if (NotAutorized(Login, Password)) return;
+		    if (Autorized(Login, Password) == false) return;
 			GetRefresher(uniqueIdentifier).RefreshAll();
 		}
 
 	    [WebMethod]
 		public void RefreshByGuid(Guid uniqueIdentifier, Guid Id, string Login, string Password)
 		{
-		    if (NotAutorized(Login, Password)) return;
+            if (Autorized(Login, Password) == false) return;
             GetRefresher(uniqueIdentifier).Refresh(Id);
 		}
 
 		[WebMethod]
 		public void RefreshById(Guid uniqueIdentifier, int Id, string Login, string Password)
 		{
-		    if (NotAutorized(Login, Password)) return;
+		    if (Autorized(Login, Password) == false) return;
 			GetRefresher(uniqueIdentifier).Refresh(Id);
 		}
 
         [WebMethod]
         public void RefreshByIds(Guid uniqueIdentifier, string jsonIds, string Login, string Password)
         {
-		    if (NotAutorized(Login, Password)) return;
-	        var refresher = GetRefresher(uniqueIdentifier);
+            if (Autorized(Login, Password) == false) return;
+            var refresher = GetRefresher(uniqueIdentifier);
 	        foreach (var id in JsonConvert.DeserializeObject<int[]>(jsonIds))
 	            refresher.Refresh(id);
         }
@@ -161,21 +161,21 @@ namespace umbraco.presentation.webservices
         [WebMethod]
         public void RefreshByJson(Guid uniqueIdentifier, string jsonPayload, string Login, string Password)
         {
-            if (NotAutorized(Login, Password)) return;
+            if (Autorized(Login, Password) == false) return;
             GetJsonRefresher(uniqueIdentifier).Refresh(jsonPayload);
         }
 
 	    [WebMethod]
         public void RemoveById(Guid uniqueIdentifier, int Id, string Login, string Password) 
         {
-            if (NotAutorized(Login, Password)) return;
+            if (Autorized(Login, Password) == false) return;
             GetRefresher(uniqueIdentifier).Remove(Id);
         }
 
 	    [WebMethod]
 		public XmlDocument GetRefreshers(string Login, string Password)
 	    {
-	        if (NotAutorized(Login, Password)) return null;
+	        if (Autorized(Login, Password) == false) return null;
 
 			var xd = new XmlDocument();
 			xd.LoadXml("<cacheRefreshers/>");

From 20347c1ccd9665fe0fa775a283d6ebbd332f860d Mon Sep 17 00:00:00 2001
From: Claus <claus@claus.nu>
Date: Tue, 12 Apr 2016 13:17:41 +0200
Subject: [PATCH 2/2] Fixing typo.

---
 .../umbraco/webservices/CacheRefresher.asmx.cs | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs b/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
index 2cda4a0593..cb6bd451b0 100644
--- a/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
+++ b/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/CacheRefresher.asmx.cs
@@ -60,7 +60,7 @@ namespace umbraco.presentation.webservices
             return jsonRefresher;
         }
 
-        private bool Autorized(string login, string rawPassword)
+        private bool Authorized(string login, string rawPassword)
         {
             //TODO: This technique of passing the raw password in is a legacy idea and isn't really 
             // a very happy way to secure this webservice. To prevent brute force attacks, we need 
@@ -92,7 +92,7 @@ namespace umbraco.presentation.webservices
         [WebMethod]
         public void BulkRefresh(RefreshInstruction[] instructions, string appId, string login, string password)
         {
-            if (Autorized(login, password) == false) return;
+            if (Authorized(login, password) == false) return;
             if (SelfMessage(appId)) return; // do not process self-messages
 
             // only execute distinct instructions - no sense in running the same one more than once
@@ -131,28 +131,28 @@ namespace umbraco.presentation.webservices
 		[WebMethod]
 		public void RefreshAll(Guid uniqueIdentifier, string Login, string Password)
 		{
-		    if (Autorized(Login, Password) == false) return;
+		    if (Authorized(Login, Password) == false) return;
 			GetRefresher(uniqueIdentifier).RefreshAll();
 		}
 
 	    [WebMethod]
 		public void RefreshByGuid(Guid uniqueIdentifier, Guid Id, string Login, string Password)
 		{
-            if (Autorized(Login, Password) == false) return;
+            if (Authorized(Login, Password) == false) return;
             GetRefresher(uniqueIdentifier).Refresh(Id);
 		}
 
 		[WebMethod]
 		public void RefreshById(Guid uniqueIdentifier, int Id, string Login, string Password)
 		{
-		    if (Autorized(Login, Password) == false) return;
+		    if (Authorized(Login, Password) == false) return;
 			GetRefresher(uniqueIdentifier).Refresh(Id);
 		}
 
         [WebMethod]
         public void RefreshByIds(Guid uniqueIdentifier, string jsonIds, string Login, string Password)
         {
-            if (Autorized(Login, Password) == false) return;
+            if (Authorized(Login, Password) == false) return;
             var refresher = GetRefresher(uniqueIdentifier);
 	        foreach (var id in JsonConvert.DeserializeObject<int[]>(jsonIds))
 	            refresher.Refresh(id);
@@ -161,21 +161,21 @@ namespace umbraco.presentation.webservices
         [WebMethod]
         public void RefreshByJson(Guid uniqueIdentifier, string jsonPayload, string Login, string Password)
         {
-            if (Autorized(Login, Password) == false) return;
+            if (Authorized(Login, Password) == false) return;
             GetJsonRefresher(uniqueIdentifier).Refresh(jsonPayload);
         }
 
 	    [WebMethod]
         public void RemoveById(Guid uniqueIdentifier, int Id, string Login, string Password) 
         {
-            if (Autorized(Login, Password) == false) return;
+            if (Authorized(Login, Password) == false) return;
             GetRefresher(uniqueIdentifier).Remove(Id);
         }
 
 	    [WebMethod]
 		public XmlDocument GetRefreshers(string Login, string Password)
 	    {
-	        if (Autorized(Login, Password) == false) return null;
+	        if (Authorized(Login, Password) == false) return null;
 
 			var xd = new XmlDocument();
 			xd.LoadXml("<cacheRefreshers/>");